diff --git a/CVE-2022-0530.patch b/CVE-2022-0530.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9df2e10803fc435393d352c93f6c2c54824b98f --- /dev/null +++ b/CVE-2022-0530.patch @@ -0,0 +1,27 @@ +diff --git a/fileio.c b/fileio.c +index 6290824..77e4b5f 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); ++ if (fn == NULL) ++ return PK_ERR; ++ + /* make sure filename is short enough */ + if (strlen(fn) >= FILNAMSIZ) { + fn[FILNAMSIZ - 1] = '\0'; +diff --git a/process.c b/process.c +index d2a846e..715bc0f 100644 +--- a/process.c ++++ b/process.c +@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) + int escape_all; + { + zwchar *wide = utf8_to_wide_string(utf8_string); ++ if (wide == NULL) ++ return NULL; + char *loc = wide_to_local_string(wide, escape_all); + free(wide); + return loc; diff --git a/unzip.spec b/unzip.spec index aaacc81939da212b29fc13d567bf54d524f489d5..5d7c7695c9f88ee67074a60592991af980835e46 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 Name: unzip Epoch: 1 @@ -70,6 +70,9 @@ Patch31: 0031-unzip-zipbomb-part6.patch Patch32: 0032-unzip-zipbomb-switch.patch Patch33: 33-bugfix-for-CVE-2022-0529.patch +#https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1010355;filename=CVE-2022-0530.patch;msg=5 +Patch34: CVE-2022-0530.patch + BuildRequires: make BuildRequires: bzip2-devel, gcc @@ -114,6 +117,9 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_ %doc README BUGS %changelog +* Tue Sep 23 2025 Hong Wei Qin - 1:6.0-5 +- Fix CVE-2022-0530 + * Tue Sep 02 2025 tomcruiseqi - 1:6.0-4 - Fix CVE-2022-0529